Introduction The concept of “SQL Injection”

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
How Did I Steal Your Database Mostafa
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
SQL Injection Timmothy Boyd CSE 7330.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP Security.
Introduction To PHP 20 * Introducing the basics of programming * Discovering variables, loops, arrays and conditions * Integrating HTML and PHP Stations.
MIS Week 11 Site:
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
Session 5: Working with MySQL iNET Academy Open Source Web Development.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
M1G Introduction to Database Development 6. Building Applications.
Attacking Applications: SQL Injection & Buffer Overflows.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Installing and Using MySQL and phpMyAdmin. Last Time... Installing Apache server Installing PHP Running basic PHP scripts on the server Not necessary.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
(Chapter 10 continued) Our examples feature MySQL as the database engine. It's open source and free. It's fully featured. And it's platform independent.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Forms and Server Side Includes. What are Forms? Forms are used to get user input We’ve all used them before. For example, ever had to sign up for courses.
CHAPTER 9 PHP AND MYSQL. A POSSIBLE SITE CONFIGURATION Application Folder index.php includes (folder)header.phpfooter.phpstyle.cssmodel (folder)mysqli_connect.php.
Creating PHPs to Insert, Update, and Delete Data CS 320.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Form Handling IDIA 618 Fall 2014 Bridget M. Blodgett.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
Error-based SQL Injection
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
SQL Injection Attacks.
Module: Software Engineering of Web Applications
Introduction to Information Security
CIIT-Human Computer Interaction-CSC456-Fall-2015-Mr
SQL Injection.
SQL INJECTION ATTACKS.
Pengantar Keamanan Informasi
Intro to Ethical Hacking
Database Driven Websites
PHP: Security issues FdSc Module 109 Server side scripting and
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Intro to Ethical Hacking
Presentation transcript:

Introduction The concept of “SQL Injection” Commands susceptible to injection attacks Some simple code Some security holes Preventing injection attacks

SQL Injects – Start wailing... Assuming you’ve got good security then the ability to make queries to an online database is difficult. A hacker would need to know the name and server location of the database file and some information about the fields used in a Members table in order to run a hack. This could take a long time to guess... Surprisingly, hacking passwords can be done using SQL injection routines on website forms.

SQL Injection This kind of attack is not a technological security hole in the Operating System or server software. It depends on the way that a website is developed. Some developers are unaware of this kind of attack and unknowingly develop web applications which open doors for hackers to inject SQL Queries / Commands into the system. To be able to perform SQL Injection hacking, all an attacker needs is a web browser and some guess work to find important table and field names.

SQL Injection Once an attacker realizes that a system is vulnerable to SQL Injection, they are able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker the Query Browser, allowing him to send any SQL command like SELECT, INSERT, DELETE and DROP TABLE to the database!

Here’s a standard login form: <form method="post" action="login.php"> <input type="text" name="username"> <input type="password" name="password"> </form> And here’s a standard PHP SELECT SQL statement that is built from the user’s input to the form: "SELECT userid FROM Members WHERE username = '$username' AND password = '$password' ";

This would build the following SQL SELECT statement: Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x This would build the following SQL SELECT statement: "SELECT userid FROM Members WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' "; Because the application is just constructing a string, the use of the single quotes has turned the WHERE into a two- component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

Finding useful information Most members-only websites contain a link to retrieve a forgotten password If not carefully designed, then these forms are ripe for hacking! Mostly, these forms just consist of a single input box into which you type your email address Put this into a “retrieve login details” form and change 'field' to any fieldname (e.g. Email): x' OR field LIKE '%harry%

Finding useful information If the field does not exist, you will get an SQL error Otherwise you’ve found a field name! If the user does not exist, you will probably be told that your username is invalid Otherwise, you will get some kind of "We have emailed your user details to your email address" type message (usually giving the email address in the process) Therefore, by trial and error, you can find a valid user email address within the table! Now, what can we do with this information?..

Using gained information In SQL Server, Oracle and MySQL we can run multiple SQL statements by using SQL injections: Assuming we have discovered that the email field in the database is ‘Email’ and we have found a valid email address ‘harry.fowler@psychonaut.net’ then we can change their address in the table to ours: x'\; UPDATE Members SET Email = 'hacker@hacker.org' WHERE Email = 'harry.fowler@psychonaut.net'

Using gained information Now we can get hold of their password by simple entering our email address into the retrieve password form Scary huh? How about deleting tables? x' UNION DROP TABLE Users;-- This makes use of the SQL comment - - to close off the statement making it valid Surprisingly, MS Access cannot run multiple SQL commands in one go and so paradoxically is safer!

Preventing SQL Injections The best way to defend against SQL injection attacks is: to use “prepared statements” if possible to filter extensively any input that a user can give You should remove everything but the known good data and filter meta characters from the user input Remember to put maxlength attributes on your input boxes but don’t rely on them This helps to ensure that only what should be entered in the field will be submitted to the server

Background Reading SQL injection: http://en.wikipedia.org/wiki/Sql_injection https://www.owasp.org/index.php/SQL_Injec tion_Prevention_Cheat_Sheet Prepared statements: http://dev.mysql.com/doc/refman/5.0/en/sql- syntax-prepared-statements.html http://en.wikipedia.org/wiki/Prepared_statement

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.